Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916900 (CVE-2023-47258, CVE-2023-47259, CVE-2023-47260)

Summary: <www-apps/redmine-5.0.6: multiple XSS vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak, azamat.hackimov, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
See Also: https://github.com/gentoo/gentoo/pull/33748
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-05 17:10:48 UTC
CVE-2023-47258:

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter.

CVE-2023-47260:

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails.

CVE-2023-47259:

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter.
Comment 1 Hank Leininger 2023-11-28 04:20:53 UTC
FWIW I encountered a minor issue trying to use this ebuild: it permits deckar01-task_list-2.3.3, but the Gemfile for 5.0.6 requires 2.3.2. Upstream has not moved to 2.3.3 in any branch that I can find.

I didn't want to fight through surprise issues so I just set =2.3.2 in the ebuild. That required forgoing claiming ruby32 compat because the deckar01-task_list-2.3.2 in ::gentoo has USE_RUBY only up through ruby31.

I don't actually see anything in https://gitlab.com/deckar01/task_list that makes me think 2.3.2 won't work w/ruby 3.2, but I didn't look very closely.
Comment 2 Hank Leininger 2023-11-28 04:21:49 UTC
...Bah, I probably should have commented on https://github.com/gentoo/gentoo/pull/33748 instead of here.
Comment 3 Hans de Graaff gentoo-dev Security 2023-12-02 08:31:28 UTC
(In reply to Hank Leininger from comment #1)

> I didn't want to fight through surprise issues so I just set =2.3.2 in the
> ebuild. That required forgoing claiming ruby32 compat because the
> deckar01-task_list-2.3.2 in ::gentoo has USE_RUBY only up through ruby31.

From a maintenance point of view we prefer to avoid dependencies on specific versions in general, but to facilitate this security issue I've also added ruby32 to the old deckar01-task_list ebuild.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 00:20:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec28e1443716cb1a614eef933d6e495b73dce88b

commit ec28e1443716cb1a614eef933d6e495b73dce88b
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2023-11-09 22:29:33 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2024-01-07 00:19:37 +0000

    www-apps/redmine: add 5.0.6
    
    Add ruby 3.2 support, EAPI 8.
    Bug: https://bugs.gentoo.org/916900
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-apps/redmine/Manifest             |   1 +
 www-apps/redmine/redmine-5.0.6.ebuild | 255 ++++++++++++++++++++++++++++++++++
 2 files changed, 256 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-10 05:48:08 UTC
Thanks!